Reward to Hack Encrypted File Sync From Tresorit

Cloud security start-up Tresorit Kft trusts the security of its file sync service and offer $10,000 as a reward to the first the hacker who is able to break it, getting a code from an encrypted vault (‘tresor’).

For the contest, special servers will be available, where hackers are granted the same access as Tresorit has. The start-up is convinced that even with this help, hackers won’t succeed. Tresorit is just now debuting its own file storage service based on Windows Azure.

According to most IT security experts cloud based data storage has a high risk potential. Users give up control of their content to service providers, who can access and share that content with third parties like secret services. Cloud data centers make good targets for hacking, and are extremely vulnerable to software errors because of the huge concentration of user data stored. For example, a Dropbox bug made entering a password optional for millions of users.

Tresorit solves this problem providing shareable, client-side encryption. The service encrypts files before uploading them to the cloud, and the encryption key is never disclosed to the service provider. By using public-key cryptography, users can share the encrypted content with each other without revealing any information to the cloud or other unauthorized parties.

Tresorit developed their own crypto system based on standard algorithms like AES-256. According to their published technical description, they don’t use a convergent crypto algorithm like Mega does.

"Convergent crypto leaks information in order to save storage space. That is unacceptable for us," explains István Lám, CEO of Tresorit.

"We believe we created a cloud system which guarantees complete privacy, making it impossible to access user’s content, even for us, "says Lám. "Many cloud services paint themselves secure, but few of them prove this. We want to prove our security."

On April 15th, Tresorit starts a hacking competition. They created a similar environment to what the actual service uses, complete with uploaded fake user data. One fake user account contains a code – a flag – which is worth $10 000. They built in an intentional vulnerability, so hackers can see each fake user’s data exactly the same way Tresorit admins can.

The application is available on Windows only, but Mac, Android and iOS versions are coming before June 2013.

The company was founded in 2011 based on research done at CrySys Lab by Istvan Lam, Szilveszter Szebeni and Levente Buttyan, PhD. Levente and his team in CrySys Lab also analyzed the well-known malware MiniDuke, the world’s most complex computer virus, the Flame, and the Stuxnet-like Duqu and others.

Tresorit now works with a team of 20, based in Budapest, Hungary. The startup has raised $1.7 million from Euroventures – investor of EPAM, who went public last year on NYSE.